OpenDS DSMLv2 authentication - authentication

I have set up OpenDS and installed the DSML service in Tomcat.
I can verify that the setup works correctly. However, I cannot authenticate to make changes using the DSML service.
In soapUI, I have prepared a request. I have put the principal and password in the HTTP basic authentication properties of the request.
However, when executing the call, I get the following error message in the response from the service:
The entry o=TestOrgUnit,dc=example,dc=com cannot be added due to insufficient access rights
What is the correct way of specifying the credentials otherwise? Is it something that must be done in the SOAP request message?

This should work as long as the principal is in the form of a DN (of an existing user).
The server should also have access controls setup to allow that users to Add entries.
Insufficient access rights seems to indicate that either the LDAP connection was not authenticated, or the ACI do not allow that user to add to the OpenDS directory.
You might want to check OpenDJ DSML gateway as it offers more capabilities that OpenDS with regards to authentication (including support for LDAPS). The trunk or OpenDJ 2.5.0-Xpress1 have that support.
Kind regards,
Ludovic Poitou
ForgeRock - Product Manager for OpenDJ. http://opendj.forgerock.org/

Related

WSO2 - SCIM request not produced when creating a new object on LDAP

I'm using WSO2 Identity Server 5.10.0 with an Open LDAP as a user store and I want to send a SCIM request to another server whenever a new user is created.
To do that I configured my WSO2 to do Outbound Provisioning, by following the WSO2 documentation.
When I create a new user through the Management Console, a SCIM request is properly sent, which tells me that my Outbound Provisioning configurations are probably correct.
However, when I create a new user by constructing a new object directly on the LDAP, no SCIM request is sent to the other server even though the user is properly created and appears when you go to "List" under "Users and Roles" in WSO2's Management Console.
What could be the cause of this and what can I do about it?
Thanks
This is the expected behavior and it's correct.
When you directly create users in the LDAP, WSO2 is not aware of those user creation events. Since the outbound provisioning is triggered upon a successful user creation event, your observation is expected.
Creating users directly in the LDAP is not recommended. User identities should be managed via WSO2 Identity Server. Otherwise, there could occur more issues (caching and data inconsistency issues) than just a provisioning failure.
Finally, if you want WSO2 to provision the users automatically you should create the users via WSO2 (SCIM or management console). Otherwise, you might have to delegate the outbound provisioning process to whatever the entity that's creating users in the LDAP directly.

Oauth service for LDAP authentication

We have a scenario where we have to authenticate the user with LDAP server
Flow 1:
client --> application server --> LDAP server
In above flow the client enters LDAP credentials which comes to application server and then using python-ldap we can authenticate the user, straight forward. Since the user LDAP credentials comes to application server an organisation may not be willing for such flow for obvious reasons.
Flow 2:
client --> oauth2 --> LDAP server
Oauth scenario suites best here, since authentication of the user is responsibility of the oauth and application server do not need to know the user credentials.
Have anyone encountered such case, if yes, how you tackled it?
Is there are any Oauth client for LDAP free and paid ?
If you don't want user credentials to reach the Application server then what you need is a perimeter authentication. You need to have an external authentication provider , say Oracle Access Manager, that will perform the authentication and set a certain token in the request. The application server can assert this token and let user access resources. This model enables SSO as well.
The resources that require authorized access are configured as protected URLs in OAM.
When a user tries to access a protected resource he is challenged for credentials.
OAM authenticates the user against an LDAP directory(that is configured in OAM).
A token corresponding to the authenticated user is set in the request. Also an SSO cookie is set.
Application server (Weblogic) can assert (verify) this token and let the user access the resource.
Note: Oracle Access Manager supports oAuth as well.
Ory Hydra https://ory.sh/hydra might be what the original poster was asking for. This question is several years old now but in the interest of helping anyone else who sees this...check out Ory Hydra. It provides the OAuth2/OpenID parts and can be linked to an LDAP server behind the scenes.
canaille is a free and light OAuth2/OpenID service over a LDAP backend, written in python. (canaille developper here)
https://gitlab.com/yaal/canaille

Kerberos siteminder integration

We have a Siteminder running in our organization and I want to use Kerberos to authenticate users.
The setup is like this:
Our appserver has siteminder agent that can authenticate users, agent connects to Siteminder, siteminder connects to active directory.
My question is this - what do I need to do on my appserver in order to be able to use Kerberos to authenticate users.
I might accept a good guide to how to do it as an answer.
This guide says you need to set your service account to system and set authentication in IIS to be anonymous only. This sounded totally crazy to me at first, but as you read on they explain how the additional ISAPI dll they have you add will intercept the SiteMinder auth and should pass the authentication through. Not sure if it's actually kerberos or not...

LDAP - unable to add entries

Im using LDAP Admin Tool Professional 6.0
When i try to add an entry or try to add an attribute to an existing record,I get this error:
Strong Authentication Required
LDAPException: Strong Authentication Required (8) Strong Authentication Required
LDAPException: Server Message: modifications require authentication
LDAPException: Matched DN:
What could be wrong?
"modifications require authentication" indicates that you did not authenticate to the LDAP server at all, but doing an anonymous bind. While you may read a lot of things as anonymous user, depending on the ACL of the server, all server implementations I know do not allow write operations without authentication.
So you need to specify "Bind DN" and "Bind Password" in your LDAP client software to make any modifications to the data stored in the LDAP directory.
The message is very clear. The administrators require a stronger authentication scheme. Use something stronger with the correct credentials and the authentication will succeed - assuming you are trying to authenticate before the add. If you are trying to add entries without authenticating at all, note that directory server administrators may forbid it.
I don't know about your "Admin Tool Professional 6.0" but LDAP is not accepting your login.
Check your DN

Does LDAP provide a token after binding, so I don't have to send credentials every time?

I have a web application (PHP, but doesn't matter). It uses LDAP for authentication (already working), and it allows users to search LDAP (already working).
But when searching, I use a generic process account to bind() and then run the search().
What I would like is to use the LDAP account that logs in to be the same account that binds for the searching. But the only way I see to do that is to store the user's credentials in the sessions (bad!).
Nutshell: can I get a "state/session/??" token from LDAP, to bind() and then search() on subsequent http requests?
(btw, using Active Directory.)
Basic LDAP doesn't provide anything like this. The credentials that you present when binding are used for the rest of the connection, so if you could keep an LDAP connection open across multiple HTTP requests (and share LDAP connections among however many server jobs you have running), then you could avoid saving credentials.
There are various extensions to LDAP floating around (including several within Active Directory), so it's possible that one of those adds sessions-across-connections, but if so, I'm not aware of it.
As a sort-of-workaround, because Active Directory supports GSSAPI and because of how Kerberos works, you ought to be able to use the user's credentials to request a Kerberos ticket for accessing LDAP then store that ticket as your "state/session/??" token. This Kerberos ticket would only be valid for accessing LDAP and would auto-expire, so this would avoid the pitfalls of storing the user's credentials in the session. I don't know if your LDAP library supports GSSAPI and would give you enough control to do this or not.